NetWitness Threat Content and Integrations Report
November 2021
Threat Intelligence Update
ProxyShell Vulnerabilities Still Being Exploited
There has been a recent uptick in attacks leveraging the Microsoft Exchange ProxyShell vulnerabilities to deploy ransomware and other malware. Although ProxyShell, an attack combining three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for unauthenticated remote code execution (RCE), has had a patch since Mid-April, there are still 20,000+ vulnerable servers currently discoverable by Shodan.
The persistence of remotely accessible and exploitable servers has led to hackers incorporating ProxyShell into their tactics. In the last month, we have seen:
- Threat actor group known as "Tortilla" combining ProxyShell exploit and China Chopper Web shell to deploy Babuk ransomware
- ProxyShell being used by access brokers to compromise Exchange Servers and send internal phishing emails allowing for the delivery of Conti Ransomware
- A predominantly malware free ransomware attack utilizing ProxyShell for initial access on multiple on-prem Exchange servers
- Iranian government-sponsored APT actors using ProxyShell and Fortinet vulnerabilities to gain access to US Critical Infrastructure sectors and various Australian organizations
Months after patches were made available, ProxyShell is still a very real threat to organizations. We advise all NetWitness customers to review the Microsoft Exchange Team's Security Advisory on ProxyShell and, if vulnerable, apply the May 2021 or July 2021 Security Updates. We are tracking any new developments and will update our content offerings appropriately.
Blog Posts
MSAzureGraph Universal Plugin for Microsoft Graph API by Dino Cherian (RSA Link)
Microsoft Graph is a Microsoft developer platform that enables integration with multiple services in Microsoft cloud. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
Could Your Collaboration Tools be Hacker-Friendly? By Darren McCutchen (RSA Link)
Companies and their employees are slowly returning to in-person work, with many organizations maintaining their hybrid workforce model. And this shift to remote work has resulted in an increasing reliance on web-based collaborative tools. In fact, a Gartner study found that usage of collaboration tools has nearly doubled over the last two years, going from 55% to 80% among workers.
Many of these tools, such as Microsoft Teams, Slack, and Zoom, have been integral components of organizational productivity for years, but the change to a highly remote workforce has more deeply embedded these types of applications into business operating procedures.
Realizing this opportunity, hackers and cybercriminals have altered some of their own tactics to take advantage of this new cybersecurity reality.
Collaborative tools are a more viable attack vector than they have ever been, due to their relatively new introduction to many corporate environments and a general lack of sufficient logging from these applications.
Application rules
Stops Diagtrack Service (Endpoint)
An adversary may attempt to block indicators or events, typically captured by sensors from being gathered and analyzed. DiagTrack (Microsoft Windows Diagnostics Tracking) is a service used by Microsoft ATP Sensor to communicate to the cloud.
Potential Abuse of Odbcconf (Endpoint)
Adversaries may abuse odbcconf.exe to proxy execution of malicious DLL files and other payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.
Protocol Parsers
TLD_lua
Addition of "domain" meta.
HTTP_lua
Updated to address defect in the customHeaders option whereby decoder versions 11.6 and below may not have registered meta from headers listed in the customHeaders option.
TLD_lua enhancement: "domain" meta
The TLD_lua parser is responsible for creating meta for tld, cctld, and sld from hostname meta such as alias.host and fqdn.
Meta for tld is the "Top Level Domain". These are values such as "com", "org", and "co.uk".
Meta for cctld is "Country Code TLD". These are values such as "uk", "de", "cn".
Meta for sld is "Second Level Domain". This is domain regardless of tld and cctld. Note that in all the examples below, sld meta is "amazon".
sld: amazon
tld: com
www.amazon.co.uk [amazon.co.uk]
sld: amazon
tld: co.uk
cctld: uk
sld: amazon
tld: de
cctld: de
This makes it easy to look for a domain across all top level domains, without resorting to something like "alias.host contains 'amazon'". If you want to see all sessions containing a host with an amazon domain, just look for "sld = 'amazon'". This is especially useful for feeds.
However, sometimes for example you really do need just "amazon.co.uk" and not any other amazon domains. So you had to do something like "alias.host ends '.amazon.co.uk'" or "sld = 'amazon' and tld = 'co.uk'".
With the addition of domain meta, which concatenates the sld and tld, you'll now be able to query directly "domain = 'amazon.co.uk'",
domain: amazon.com
www.amazon.co.uk [amazon.co.uk]
domain: amazon.co.uk
domain: amazon.de
Meta for sld is still registered and available, and more broadly useful. Now meta for domain is available as well for any more specific needs.
Log Parsers – updated
- Symantecav
additional meta mapping and enhanced the fine parsing of few logs
- Windows
added additional data type to existing one to capture more information
- Common Event Format (CEF)
added additional meta mapping for checkpoint event source
- Microsoft Azure
Added support for Azure SQL Database Audit log events.
- Windows Events (NIC)
Added additional mapping to support new fields and enhanced parsing
- Astaro Security Gateway
added support for new log formats
- Junipervpn
added support for version 9.x
- AIX
enhanced the parser to support additional Audit Events.
- Bigip
added support for version 15.x logs
- Bigipapm
added support for version 15.x logs
